13672defb59111e2060bb24ce7fd53e176dcabb4b298fe2d4392d3e446b6aa9a

General

Target

5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe
Size

494KB
MD5

5ce5038ff3f2ba3479658491fef3db67
SHA1

47d2f5482759b1c69901fb54f12f787c3ee0189d
SHA256

13672defb59111e2060bb24ce7fd53e176dcabb4b298fe2d4392d3e446b6aa9a
SHA512

1ae3b597aaee31f4d7ca8153f2b6cf1a21da0bc748ab82d231ff766e9b015d529ce833998a18cadcb52394d2c998cc4eb7000c83fa4160ec48d8230a0198a923
SSDEEP

12288:k0eXRPegdJW6qH9Aw8YRyD5O4tZK/UDVZjY:eNRJFqH9T8Yy5jtZK/7

Score

10^/10

evasion execution persistence

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = ",C:\\Arquivos de programas\\Internet Explorer\\Connection Wizard\\iedw.exe,"	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\pluginiedw = "C:\\Arquivos de programas\\Internet Explorer\\Connection Wizard\\iedw.exe"	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2976	sc.exe
2104	sc.exe
2188	sc.exe
2184	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2104	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2104	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2104	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2104	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2188	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2188	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2188	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2188	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2184	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	34
PID 2232 wrote to memory of 2184	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	34
PID 2232 wrote to memory of 2184	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	34
PID 2232 wrote to memory of 2184	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	34
PID 2232 wrote to memory of 2976	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	36
PID 2232 wrote to memory of 2976	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	36
PID 2232 wrote to memory of 2976	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	36
PID 2232 wrote to memory of 2976	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	36
PID 2232 wrote to memory of 868	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	38
PID 2232 wrote to memory of 868	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	38
PID 2232 wrote to memory of 868	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	38
PID 2232 wrote to memory of 868	2232	5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ce5038ff3f2ba3479658491fef3db67_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop Alerter
  2⤵
  - Launches sc.exe
  PID:2104
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config Alerter start= disabled
  2⤵
  - Launches sc.exe
  PID:2188
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop wscsvc
  2⤵
  - Launches sc.exe
  PID:2184
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2976
- C:\Windows\SysWOW64\REG.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "BootExecute" /f
  2⤵
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads